Miscommunication between IT and security teams leads to network security gaps

Last week, Nimmy, in his post ‘Security is from Mars and Application Delivery is from Venus’, provided some great insights into the differences between the perceptions of these two teams, and how they should align for the greater benefit of the company.

As a security consultant, I have firsthand experience of this miscommunication. If there has ever been a universal law that impacts network security it’s the saying: communication is not what’s said but rather what’s heard. IT and security professionals are often so busy putting out fires that so many things are said in passing often goes in one ear and out the other. Exacerbating the challenge, IT and security are known to have some strong personalities (I was once part of that club!). Regardless of the underlying psychological explanations, the reality is that time and again there are situations where IT and security team members say things to one another assuming that what needed to be said has indeed been said and that the message was properly received. It’s often not.

For instance, an information security manager might request the latest policies from a firewall or network access control system so that the configurations can be reviewed to ensure that they’re in line with current security standards or, perhaps, meet the recommendations of a recent risk assessment. No detailed explanation is given for the request – just that the latest policies are needed. The appropriate IT lead then gathers and shares the information but doesn’t add any context around the deliverables, such as the fact that the configs do not apply to the entire production environment in question, things are going to change next week, etc. There are always variables and things that go unsaid that need to be said.

So, what we have in this situation is someone requesting information and getting back something quite different, but it goes undetected. Assumptions are made. Things are overlooked. The state of security is not truly understood. I could provide a thousand other examples of such communication breakdowns. These are normal human communication challenges but the problem is that, in this context, they create unnecessary business risks. Risks that can end up being extremely costly to the business and the people involved.

The same thing happens when IT and security professionals communicate with management and end users. In this situation, the recipients of the messages are often talked at – even talked down to. The IT and security staff members go about their business assuming that all is well. Ditto for management and end users. Nothing really gets done and network security risks remain or even get worse. All because people are too busy (or proud) to take the time to speak, listen, and ensure the messages are truly heard and that all parties involved are going to carry their weight to do what needs to be done.

Gerald Ford once said “Nothing in life is more important than the ability to communicate effectively.” You cannot control other people’s behaviors and choices, however, you can control how good of a communicator you are. Whether you are having casual conversations with your peers in IT and security or you’re participating in formal security committee meetings, make sure that what you are saying is being heard and vice versa. Make things actionable and ensure they get done. The human factor is the most complex part of IT and network security. Do what you can to minimize that variable’s impact on the overall equation. Otherwise, it’ll be history repeating itself over and over again.